Privateclaw Plugin Setup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PrivateClaw setup helper, but it defaults to bypassing OpenClaw plugin install safety checks for an unpinned external plugin.

Install only if you trust the PrivateClaw publisher and package source. Prefer a pinned version or reviewed local checkout, avoid bypassing install safety checks unless you understand why it is needed, and review active sessions after pairing so background sessions do not remain open longer than intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill repeatedly instructs users to install a plugin with `--dangerously-force-unsafe-install` and even says to keep that flag on every manual install path, without any warning, trust validation, or compensating controls. In the context of plugin installation, this encourages bypassing normal safety checks and materially increases the risk of installing malicious or tampered code with full plugin execution privileges inside OpenClaw.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal